*To pay for travel and conference expenses for GIC "special invitations" to each AppSec EU, AppSec USA, AppSec SA, and AppSec Asia to work towards GIC outreach initiatives. These individuals will participate in a roundtable or working session regarding GIC relevancy and industry alignment.

+

*The cost can be broken up as 3 invitations to each of the 4 conferences, or more invitations to just one or 2 conferences, strategy TBD. Avg. cost per person = $2,000

+

+

===GIC Member Travel - $16,000===

+

*For two members of the committee to attend each AppSec EU, AppSec USA, AppSec SA, and AppSec Asia to work towards GIC outreach initiatives. Avg. cost per person = $2,000

+

+

===Administrative - $16,000===

+

*Administrative Support for 2011 & 2012 (@$5k /year) and travel costs for AppSec conferences to coordinate GIC outreach initiatives/working sessions. Note $5,000 of this has already been approved by the board for admin support for 2011.

Discussions, Actions and Results

Budget

SB and JB prepared high level GIC budget for 2011 – SB emailed to committee last night. Would like committee members to comment no later than Monday so we can submit proposed budget to Board for Tuesday (3/8/2011) meeting.

Comment – SB’ administrative costs not included in budget. This should include $5,000 already approved by board for 2011 and administrative costs for 2012. All agreed that Sarah should continue in administrative support role for this year and into next year.

Action item: JB and SB to revise budget and email committee by EOD so that they can comment before submission to board on Tuesday morning.

2011 AppSec Conferences: AppSec EU, AppSec USA, and AppSec SA

There has been discussion about using the App Sec conferences as a venue for Industry working groups and discussions with verticals – what is our plan for this?

JB – This should be a two tiered approach:

GIC contacts conference coordinators to find out their plan for working with local industries (who may or may not attend local OWASP meetings). GIC asks for support from conference coordinators in working with verticals to be targeted for attendance at conference.

Based on verticals targeted (as decided in #1), GIC sends invitations asks individuals to attend who should be part of the discussion/working group.

RB – Will focus on Government vertical. Important to approach and strategy for verticals separate. What works for Government, may not be the right strategy for the Financial industry.

JB – We will keep the plan for industry outreach general for now, but as we gain momentum within the committee we will work towards more specific plans. At the conferences, we should organize a single industry session with breakouts (as applicable) for specific verticals

MF – in contact with organizers for AppSec SA and will work on establishing which verticals GIC should target at this conference.

Discuss “Rules of Engagement” for GIC Outreach

Discussion started at Summit in relation to whether the GIC /OWASP should have a NDA with companies it engages with. It was decided that GIC/OWASP will NOT engage in any NDAs as it goes against OWASP’s founding principal of openness.

John Steven raised the possibility of setting up “rules of engagement”…

Since the first summit, we've all heard several well-respected members of the OWASP community--who are not vendors--lament how difficult it is for them to contribute. The situation faced remains what it was and is simply:

There is no formal conduit through which the participation of commercial entities and their employees feel comfortable contributing while protecting their organization's privacy, intellectual property, and employment.

Some organizations and their employees can participate without such a formal conduit, and that's great. Others will not be able to. I imagine we want to actively include those who are currently precluded, even in a first such attempt at outreach for greater involvement. Something Joe, Tom, and other representatives from commercial entities and I have talked about is establishing some 'ground rules' for working with these reluctant organizations. Ground rules would need to address the issues I described in the breakout above.

TUV – Issue is how to get around signing an NDA (meeting the OWASP objectives of openness) but also protecting corporate interests

JB – will reach out to FS-ISAC regarding their membership agreement, which he thinks has terms or is a bilateral agreement regarding the protection of corporate interests.

JB – Right now in OWASP we have a $5k Corporate Membership and a $50 individual membership. Maybe we should have something in the middle, for example: a $500 corporate employee membership - where there is an open disclosure but still a protection of their interests in their membership agreement. These corporate members would have access to vertical driven content, and the ability to interact with peers with similar appsec issues.

RB – this still sounds too “NDA”ish. Although it isn’t called an NDA, it sounds like an NDA.

JB –we could focus on collecting data from the corporate verticals regarding the most common vulnerabilities for that vertical. They we can sanitize the data and report metrics.

MF – Not fond of an NDA; we need to to protect sources, but not the information itself

SB – It sounds like we would like to do something similar to the media who want to protect their sources, but still report on the information…

JB – In agreement with MF and SB, we will represent the data through sanitized metrics but not disclose the source.

RB – to email out annual survey results from Grant Thornton, which we may want to use as a model or starting point.

GIC Mailing List

Who wants to be a list moderator?

No one volunteered to moderate list, so SB will be list administrator and moderator for now

DC requested to be taken off list as moderator

JB – proposed to have the public mailing list (as it currently exists) and also private list for just committee discussion and private list for each vertical. Then the private lists will post to public list when they have decided on what information they should make publically available.

MF – we should default in posting to public list, but if there are special instances or specific reasons for keeping things private, we can email to committee members only.

For time being, if want something sent out to committee members only (and don’t have addresses), send to SB and she will send out to committee members

Action items: SB to talk to Larry Casey about 1) no moderation for committee members posting to list and 2) sending a copy of the message to the sender

Update on Revised GIC Mission

New mission (proposed): To expand the engagement of OWASP and its mission amongst the public and private sector verticals, through outreach; including presentations, development of position papers and collaborative efforts. The Global Industry Committee serves as the voice of OWASP within the public and private sector and the channel through which OWASP aligns its efforts to the demands of the market.

SB sent a copy of the revised mission to the list last night.

Committee members should look this over by next week and comment so we can vote on new mission statement (if possible) by end of week

Vote on New GIC Members

SB – NK needs to resign from GEC before she can be an official member of GIC (no one can be an official member of more than one global committee)

NK – will follow up with GEC re: resignation, including JB and SB

Committee vote on new members: Mauro Flores, Mateo Martinez, and Nishi Kumar. No opposition. New membership of all three approved/passed.

GIC Task List

SB set up google spreadsheet to be used in tracking each committee member’s deliverables as well as focus areas. GIC Member Task List

JB – this will not be used to assign tasks without members knowing, only used to track what each member volunteers to do or work on.

Next Meeting

Friday, 18 March 2011 at 17:00 GMT

+1 877 534 8500 or International +1 513 534 8500

Passcode 410105 #

Agenda forthcoming

Summary

Post-Meeting Deliverables (for JB and SB)

Amend GIC Budget to include Administrative Costs (for SB in 2011 and 2012 as well as travel), email to GIC, and submit to Board on Tuesday for vote (unless problems vocalized from GIC)

Industry Special Invitations - $24,000

To pay for travel and conference expenses for GIC "special invitations" to each AppSec EU, AppSec USA, AppSec SA, and AppSec Asia to work towards GIC outreach initiatives. These individuals will participate in a roundtable or working session regarding GIC relevancy and industry alignment.

The cost can be broken up as 3 invitations to each of the 4 conferences, or more invitations to just one or 2 conferences, strategy TBD. Avg. cost per person = $2,000

GIC Member Travel - $16,000

For two members of the committee to attend each AppSec EU, AppSec USA, AppSec SA, and AppSec Asia to work towards GIC outreach initiatives. Avg. cost per person = $2,000

Administrative - $16,000

Administrative Support for 2011 & 2012 (@$5k /year) and travel costs for AppSec conferences to coordinate GIC outreach initiatives/working sessions. Note $5,000 of this has already been approved by the board for admin support for 2011.